C&A Tool Experience

I have been Information Assurance/InfoSec for 9 years, mostly doing Certification and Accreditation (C&A) work. I have had the chance to take training on a tool called Xacta Web C&A (now called Xacta IA Manager) and I currently use SecureInfo's Risk Management System (RMS) tool to develop C&A documentation for all of our IT systems. I have read about the tool DoJ uses, which is based on the Trusted Agent FISMA (TAF) tool, but I am surprised by the lack of tools for C&A considering the legislation, Executive Orders, etc requiring C&A for the Federal space. Has anyone used any of these tools or heard of any others, because I am working on a report on the subject of C&A tools and I don't want to miss any tools.

Related White Papers

3 Comments

I think there would need to be more standardization before a C&A tool would be applicable outside of one site or organization. We do C&A where I work and a significant amount of what we do is primarily to keep our accrediting authority happy enough to accept risk. Some of what we do is not documented in any government policy or procedure, but is deemed necessary due to locally-identified risks.

I was thinking about designing a web-based C&A application that would allow for

tracking of changes after the control implementations have been approved by the CA or AA,

direct control-based commenting by both the CA and AA,

workflow tracking, and

tracking/trending based upon controls.

From an assessment standpoint, I'd like to be able to identify systems using certain control implementations based upon keywords, or be able to conduct a targeted assessment of various controls across multiple systems. The data correlation benefits of an automated C&A tool really get me interested, not just the automation behind a primarily sneaker-net process.

The other benefits include automated notifications of upcoming requirements, such as recertification or re-accreditation, annual testing, annual plan reviews, and general plan/security maintenance activities. Some of our system owners complain that dates will get right up on them before they realize an action is due. An automated process for keeping system owners aware of certain required actions would help the C&A process greatly.

I agree w/ Piroufreek; however, the real danger in attempting to achieve high quality for C&A documentation and artifact development without standardization (or a centralized tool or system) to find the most appropriate templates is that the C&A process becomes error-prone and may not necessarily be adequate or satisfactory to the certifier until it is too late or later in the C&A process. This creates a lot of rework and lost time.

Sometimes depending on the Organization and/or certifier/DAA, the required technical artifacts to supplement the basic C&A executive documentation package may vary and depend on the type of information system (IS), AIS application and/or IA Controls and security requirements levied on the IS or AIS application in question.

Yes, a good C&A documentation generation and CM/DM tool should have at least the afore-mentioned qualities mentioned by Piroufreek but the tool or application should be modular and flexible enough to allow adjustment for the C&A process and type of C&A performed in question, as well as, be extensible enough to allow for the ease of use and generation of new and the modification of existing technical artifacts, respectively, as the C&A strategy evolves.

And just maybe when these resources become more readily standardized and become more available, some developer will create a tool (or tool suite) that standardizes the CM/DM for C&A for various communities within the commercial and government-at-large.

P.S. Perhaps one of the C&A tools that Infosec Guy had referred to was that of Cyber Security Assessment and Management (CSAM)

I did mean the CSAM tool. I have seen it in action, as well as a tool based on the OpenFISMA tool. As far as what needs to be recorded, that is pretty much standard, even if the specific documents they are recorded in are a bit different. We need to capture system info, security control info, contingency planning procedures, control remediation efforts, and personnel who are responsible for the system. The other part of a tool is the presentation and any notifications required to stay current. Any tool that allows at least a few views into the information would be great. A former boss said he wanted a "Turbo Tax for C&A" tool. A tool that allows you to go in and enter information section by section, with links for help readily accessible. A documentation check that can review the package for completeness and somewhat for correctness, is the type that does not exist today. Tools that are open source or very customizable are great, but if it can't do the basics of hwat you need right out of th ebox, then it's not that great a tool.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.